From 9d6dec6eae129c6b91a8d5e6c7acdb779245a6eb Mon Sep 17 00:00:00 2001
From: Leticia Webb <110556185+leticiawebb@users.noreply.github.com>
Date: Wed, 5 Mar 2025 16:35:31 -0700
Subject: [PATCH 1/4] Add SAML setup instructions for Duo and update direct
link
---
docs/cloud/security/saml-sso-setup.md | 38 ++++++++++++++++++++++-----
1 file changed, 31 insertions(+), 7 deletions(-)
diff --git a/docs/cloud/security/saml-sso-setup.md b/docs/cloud/security/saml-sso-setup.md
index 7d9b90d7410..42fb458fa10 100644
--- a/docs/cloud/security/saml-sso-setup.md
+++ b/docs/cloud/security/saml-sso-setup.md
@@ -58,7 +58,7 @@ We recommend setting up a **direct link to your organization** in addition to yo
- Attribute mapping: `email = user.email`
- - Direct link to access your organization: `https://console.clickhouse.cloud?connection={organizationid}`
+ - Direct link to access your organization: `https://console.clickhouse.cloud/?connection={organizationid}`
For specific configuration steps, refer to your specific identity provider below.
@@ -149,7 +149,7 @@ You will configure two App Integrations in Okta for each ClickHouse organization
5. Select a label for the app.
- 6. Enter the URL as `https://console.clickhouse.cloud?connection={organizationid}`
+ 6. Enter the URL as `https://console.clickhouse.cloud/?connection={organizationid}`
7. Go to the **Assignments** tab and add the group you created above.
@@ -206,7 +206,7 @@ You will configure two App Integrations in Okta for each ClickHouse organization
### Configure Google SAML {#configure-google-saml}
-You will configure one SAML app in Google for each organization and must provide your users the direct link (`https://console.clickhouse.cloud?connection={organizationId}`) to bookmark if using multi-org SSO.
+You will configure one SAML app in Google for each organization and must provide your users the direct link (`https://console.clickhouse.cloud/?connection={organizationId}`) to bookmark if using multi-org SSO.
Create a Google Web App
@@ -290,7 +290,7 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
|---------------------------|-------|
| Identifier (Entity ID) | `urn:auth0:ch-production:{organizationid}` |
| Reply URL (Assertion Consumer Service URL) | `https://auth.clickhouse.cloud/login/callback?connection={organizationid}` |
- | Sign on URL | `https://console.clickhouse.cloud?connection={organizationid}` |
+ | Sign on URL | `https://console.clickhouse.cloud/?connection={organizationid}` |
| Relay State | Blank |
| Logout URL | Blank |
@@ -313,6 +313,30 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
+
+ Create a Generic SAML Service Provider for Duo
+ 1. Follow the instructions for [Duo Single Sign-On for Generic SAML Service Providers](https://duo.com/docs/sso-generic).
+
+ 2. Use the following Bridge Attribute mapping:
+
+ | Bridge Attribute | ClickHouse Attribute |
+ |:-------------------|:-----------------------|
+ | | email |
+
+ 3. Use the following values to update your Cloud Application in Duo:
+
+ | Field | Value |
+ |:----------|:-------------------------------------------|
+ | Entity ID | `urn:auth0:ch-production:{organizationid}` |
+ | Assertion Consumer Service (ACS) URL | `https://auth.clickhouse.cloud/login/callback?connection={organizationid}` |
+ | Service Provider Login URL | `https://console.clickhouse.cloud/?connection={organizationid}` |
+
+ 4. Gather these two items and go to Submit a Support Case above to complete the process:
+ - Single Sign-On URL
+ - Certificate
+
+
+
## How It Works {#how-it-works}
@@ -322,11 +346,11 @@ We only utilize service provider initiated SSO. This means users go to `https://
### Assigning User Roles {#assigning-user-roles}
-Users will appear in your ClickHouse Cloud console after they are assigned to your IdP application and log in for the first time. At least one SSO user should be assigned the Admin role in your organization. Use social login or `https://console.clickhouse.cloud?with=email` to log in with your original authentication method to update your SSO role.
+Users will appear in your ClickHouse Cloud console after they are assigned to your IdP application and log in for the first time. At least one SSO user should be assigned the Admin role in your organization. Use social login or `https://console.clickhouse.cloud/?with=email` to log in with your original authentication method to update your SSO role.
### Removing Non-SSO Users {#removing-non-sso-users}
-Once you have SSO users set up and have assigned at least one user the Admin role, the Admin can remove users using other methods (e.g. social authentication or user ID + password). Google authentication will continue to work after SSO is set up. User ID + password users will be automatically redirected to SSO based on their email domain unless users use `https://console.clickhouse.cloud?with=email`.
+Once you have SSO users set up and have assigned at least one user the Admin role, the Admin can remove users using other methods (e.g. social authentication or user ID + password). Google authentication will continue to work after SSO is set up. User ID + password users will be automatically redirected to SSO based on their email domain unless users use `https://console.clickhouse.cloud/?with=email`.
### Managing Users {#managing-users}
@@ -334,7 +358,7 @@ ClickHouse Cloud currently implements SAML for SSO. We have not yet implemented
### Multi-Org SSO {#multi-org-sso}
-ClickHouse Cloud supports multi-organization SSO by providing a separate connection for each organization. Use the direct link (`https://console.clickhouse.cloud?connection={organizationid}`) to log in to each respective organization. Be sure to log out of one organization before logging into another.
+ClickHouse Cloud supports multi-organization SSO by providing a separate connection for each organization. Use the direct link (`https://console.clickhouse.cloud/?connection={organizationid}`) to log in to each respective organization. Be sure to log out of one organization before logging into another.
## Additional Information {#additional-information}
From e1f9f10b63c8afe474f966728780396afb2940a0 Mon Sep 17 00:00:00 2001
From: Leticia Webb <110556185+leticiawebb@users.noreply.github.com>
Date: Wed, 5 Mar 2025 16:53:20 -0700
Subject: [PATCH 2/4] Formatting
---
docs/cloud/security/saml-sso-setup.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/cloud/security/saml-sso-setup.md b/docs/cloud/security/saml-sso-setup.md
index 42fb458fa10..6044b29c614 100644
--- a/docs/cloud/security/saml-sso-setup.md
+++ b/docs/cloud/security/saml-sso-setup.md
@@ -313,6 +313,8 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
+### Configure Duo SAML {#configure-duo-saml}
+
Create a Generic SAML Service Provider for Duo
1. Follow the instructions for [Duo Single Sign-On for Generic SAML Service Providers](https://duo.com/docs/sso-generic).
@@ -321,7 +323,7 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
| Bridge Attribute | ClickHouse Attribute |
|:-------------------|:-----------------------|
- | | email |
+ | Email Address | email |
3. Use the following values to update your Cloud Application in Duo:
From 41d8aac1946552b872508512bb802f72ebae91b3 Mon Sep 17 00:00:00 2001
From: Leticia Webb <110556185+leticiawebb@users.noreply.github.com>
Date: Wed, 5 Mar 2025 16:59:11 -0700
Subject: [PATCH 3/4] Formatting
---
docs/cloud/security/saml-sso-setup.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/cloud/security/saml-sso-setup.md b/docs/cloud/security/saml-sso-setup.md
index 6044b29c614..23f7241af7b 100644
--- a/docs/cloud/security/saml-sso-setup.md
+++ b/docs/cloud/security/saml-sso-setup.md
@@ -317,6 +317,7 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
Create a Generic SAML Service Provider for Duo
+
1. Follow the instructions for [Duo Single Sign-On for Generic SAML Service Providers](https://duo.com/docs/sso-generic).
2. Use the following Bridge Attribute mapping:
From 5285cfa8c4c72fc4d4b874d32216034761888033 Mon Sep 17 00:00:00 2001
From: Leticia Webb <110556185+leticiawebb@users.noreply.github.com>
Date: Wed, 5 Mar 2025 17:02:37 -0700
Subject: [PATCH 4/4] Formatting
---
docs/cloud/security/saml-sso-setup.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/docs/cloud/security/saml-sso-setup.md b/docs/cloud/security/saml-sso-setup.md
index 23f7241af7b..34057a005fc 100644
--- a/docs/cloud/security/saml-sso-setup.md
+++ b/docs/cloud/security/saml-sso-setup.md
@@ -322,17 +322,17 @@ Azure (Microsoft) SAML may also be referred to as Azure Active Directory (AD) or
2. Use the following Bridge Attribute mapping:
- | Bridge Attribute | ClickHouse Attribute |
- |:-------------------|:-----------------------|
- | Email Address | email |
+ | Bridge Attribute | ClickHouse Attribute |
+ |:-------------------|:-----------------------|
+ | Email Address | email |
3. Use the following values to update your Cloud Application in Duo:
- | Field | Value |
- |:----------|:-------------------------------------------|
- | Entity ID | `urn:auth0:ch-production:{organizationid}` |
- | Assertion Consumer Service (ACS) URL | `https://auth.clickhouse.cloud/login/callback?connection={organizationid}` |
- | Service Provider Login URL | `https://console.clickhouse.cloud/?connection={organizationid}` |
+ | Field | Value |
+ |:----------|:-------------------------------------------|
+ | Entity ID | `urn:auth0:ch-production:{organizationid}` |
+ | Assertion Consumer Service (ACS) URL | `https://auth.clickhouse.cloud/login/callback?connection={organizationid}` |
+ | Service Provider Login URL | `https://console.clickhouse.cloud/?connection={organizationid}` |
4. Gather these two items and go to Submit a Support Case above to complete the process:
- Single Sign-On URL